Advocates of the Europay, Master Card and Visa (EMV) card payment standard in the U.S. may well have been in a cold sweat at the recent Black Hat USA 2012 security conference, when a couple of researchers directed a light on alleged EMV security vulnerabilities.
Card networks, tech firms and pundits have been touting the strength of the EMV protocols as a necessary upgrade over magnetic stripe card payments, while acknowledging lingering safety gaps in EMV for certain types of remote transactions. Their reaction to the Black Hat demo has been mostly defensive. "This [Black Hat] vulnerability is absolutely something that was done in a research laboratory," says Colin McGrath, vice president of development for MasterCard.
Analysts concur that a vulnerability discovered in the lab doesn't necessarily translate to reality for crooks. "What I have heard is that [the type of fraud] that has been demonstrated at Black Hat theoretically has never been encountered in the real world," says Beth Robertson, director of payments research at Javelin Strategy & Research.
The controversy started when two researchers for MWR InfoSecurity used specifically-built EMV cards to compromise parts of point-of-sale payment devices, such as card readers, statement printers or personal identification number (PIN) pads. The fake EMV cards included code that, when the card was inserted into smart card readers, triggered predatory "Trojan" programs that recorded other card numbers and PINs that were inserted into the reader shortly after. These card numbers were then lifted by a second fake card that was inserted into the point of sale device. Among the potential crimes that can result from that are the stealing other card numbers and duping store clerks, who think a real transaction has taken place, but are unknowingly enabling crooks to buy stuff without paying for it.
The recent Black Hat vulnerability followed an earlier alleged EMV flaw discovered by researchers at Cambridge University, who built a device that attaches to a payment card. When the attached card is inserted into a chip and PIN machine, the device tricks the machine into accepting the card.
McGrath insists the EMV standards are safe for payments, and that the lab-produced vulnerabilities are too complex to be useful for crooks. "You need a backpack full of wires and a stolen payment card, and then maybe you could get one transaction done. It's not economically feasible for a crook to go into that effort."
MasterCard, along with Visa and Discover, has established a timeline for merchants to migrate from magnetic stripe payments to EMV payments. MasterCard in mid-September extended that migration to include all U.S. ATM machines by 2016. The argument is EMV cards are safer because the cards use algorithms and in most cases a personal identification number [PIN] to authenticate a transaction between the point of sale terminal and the issuing institution's payment processing system - making card theft techniques such as skimming more difficult. "You're introducing dynamic data into the payments. And EMV is proven, tested and scalable," McGrath says.
EMV does appear to be making payments safer. The European Central Bank says payments fraud in the European Union has been declining since 2007, a trend it attributes to EMV cards, which became widely used during that time. The central bank says fraud declined more than 12 percent between 2009 and 2010 alone (the lasted period for which data is available), and the share of fraud in the overall value of all transactions fell from 0.045% in 2007 to 0.0040% in 2010.
MWR InfoSecurity, a security research and consulting firm, did not make an executive available for an interview, and did not identify the types of terminals used in the Black Hat EMV fraud experiment. But at least one payment hardware firm is responding. In an email to BTN, a VeriFone spokesperson said the San Jose-based point of sale equipment firm became aware of MWR's claims and subsequently engaged in a dialogue with the consultancy. It then developed a software update, and received EMVco (the card network consortium that oversees the EMV standards) approval and released a software update on August 30th, several days ahead of schedule.
There are also other risks associated with EMV. In its research, The European Central Bank also found overall fraud for card not present (CNP) transactions has been increasing -the share CNP fraud increased from 47% to 50% and the value increased from about $730 million to $828 million-with about 71 percent of the CNP fraud coming via online transactions.
And George Tubin, a senior security strategist at Trusteer, says EMV payments also face a malware threat that's driven by social engineering, or crooks tricking users into voluntarily compromising themselves. "There's an education requirement here for banks. They need to tell their customers 'we're not going to do this [proactively contact consumers and ask for card identification]."
Researchers have found EMV vulnerabilities, but the tech's likely safer than mag stripe.